An IP address in a network block attributed to Syrian government services (AS29256) is relaying activity consistent with Outlaw/mdrfckr botnet propagation. We assess this as compromised infrastructure, not state-directed activity. Our distributed honeypot network captured the relay chain end-to-end: a three-tier SSH scanning pipeline, a modern exploitation tool advertising ML-KEM-capable key exchange, the mdrfckr SSH key injection, and a 23-second automated burst of 18 reconnaissance commands. This is not new malware research. It is a field observation showing how old commodity botnets continue to exploit weak SSH hygiene and can quietly turn institutional infrastructure into relay nodes.